ci: check cert

Author: Kuingsmile

.github/workflows/build-test.yml

@@ -223,30 +223,115 @@ jobs:
           
           echo "Certificate thumbprint configured: $THUMBPRINT"
       
-      - name: Diagnose cert store after SimplySign login (Windows)
+      - name: Diagnose SimplySign / Certum availability (Windows)
         if: matrix.platform == 'windows'
         shell: pwsh
         run: |
-          Start-Sleep -Seconds 60  # Wait for cert store to update
-          Write-Host "=== WHOAMI ==="
-          whoami
+          $ErrorActionPreference = "Continue"
+          Start-Sleep -Seconds 60
 
-           Write-Host "=== LIST CurrentUser\\My ==="
-           certutil -user -store My
-
-           Write-Host "=== LIST LocalMachine\\My ==="
-           certutil -store My
-
-           Write-Host "=== FILTER BY THUMBPRINT (if provided) ==="
-           $tp = "${{ secrets.CERTUM_CERTIFICATE_SHA1 }}".Replace(" ", "").ToUpper()
-           if ($tp) {
-             $hit = Get-ChildItem Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq $tp }
-             if ($hit) {
-               $hit | Format-List Subject, Thumbprint, NotAfter, HasPrivateKey
-             } else {
-               Write-Host "NOT FOUND in CurrentUser\\My: $tp"
-             }
-           }
+          $tp = "${{ secrets.CERTUM_CERTIFICATE_SHA1 }}".Replace(" ", "").ToUpper()
+          Write-Host "=== WHOAMI / SESSION ==="
+          whoami
+          qwinsta
+          Write-Host "Thumbprint to find: $tp"
+
+          Write-Host "`n=== SimplySign processes (if any) ==="
+          Get-Process | Where-Object { $_.ProcessName -match "simply|certum|sign|scard|smart" } | Select-Object ProcessName,Id,StartTime | Format-Table -Auto
+
+          Write-Host "`n=== Services (smart card / cryptsvc) ==="
+          Get-Service CryptSvc, SCardSvr -ErrorAction SilentlyContinue | Format-Table -Auto
+          # 可选：看看有没有 SimplySign/Certum 相关服务
+          Get-Service | Where-Object { $_.Name -match "simply|certum" -or $_.DisplayName -match "Simply|Certum" } | Format-Table -Auto
+
+          Write-Host "`n=== CSP/KSP list (certutil -csplist) ==="
+          certutil -csplist | Out-Host
+
+          Write-Host "`n=== Try dump CSP details (filter by keywords) ==="
+          $cspList = (certutil -csplist) 2>$null
+          $candidates = @()
+          foreach ($line in $cspList) {
+            if ($line -match "Certum|Simply|Asseco|Unizeto|KSP|CSP") { $candidates += $line.Trim() }
+          }
+          if ($candidates.Count -gt 0) {
+            $candidates | ForEach-Object {
+              Write-Host "`n--- certutil -csp `"$_`" ---"
+              certutil -csp "$_" | Out-Host
+            }
+          } else {
+            Write-Host "No obvious Certum/SimplySign provider strings found in csplist output."
+          }
+
+          Write-Host "`n=== Key containers (certutil -key) ==="
+          certutil -key | Out-Host
+
+          function List-Stores($root) {
+            Write-Host "`n=== Enumerating stores under $root ==="
+            $stores = Get-ChildItem "Cert:\$root" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty PSChildName
+            foreach ($s in $stores) {
+              Write-Host "`n-- Store: Cert:\$root\$s --"
+              try {
+                $items = Get-ChildItem "Cert:\$root\$s" -ErrorAction Stop
+                if ($items.Count -eq 0) {
+                  Write-Host "(empty)"
+                } else {
+                  $items | Select-Object Subject, Thumbprint, NotAfter, HasPrivateKey | Format-Table -Auto
+                }
+              } catch {
+                Write-Host "Failed to read Cert:\$root\$s : $($_.Exception.Message)"
+              }
+            }
+          }
+
+          function Find-Thumbprint($root, $tp) {
+            Write-Host "`n=== Searching thumbprint in $root (recursive) ==="
+            try {
+              $hit = Get-ChildItem "Cert:\$root" -Recurse -ErrorAction Stop | Where-Object { $_.Thumbprint -eq $tp }
+              if ($hit) {
+                $hit | ForEach-Object {
+                  Write-Host "FOUND: $($_.PSParentPath)"
+                  $_ | Format-List Subject, Thumbprint, NotAfter, HasPrivateKey, EnhancedKeyUsageList
+                }
+                return $true
+              } else {
+                Write-Host "NOT FOUND anywhere under Cert:\$root"
+                return $false
+              }
+            } catch {
+              Write-Host "Recursive search failed under Cert:\$root : $($_.Exception.Message)"
+              return $false
+            }
+          }
+
+          # 1) 全列出所有 store（CurrentUser & LocalMachine）
+          List-Stores "CurrentUser"
+          List-Stores "LocalMachine"
+
+          # 2) 全局按 thumbprint 搜索
+          $foundCU = $false
+          $foundLM = $false
+          if ($tp) {
+            $foundCU = Find-Thumbprint "CurrentUser" $tp
+            $foundLM = Find-Thumbprint "LocalMachine" $tp
+          } else {
+            Write-Host "No thumbprint provided."
+          }
+
+          # 3) 同时输出 certutil 的 store 列表（有时比 PSProvider 更直观）
+          Write-Host "`n=== certutil -user -store My ==="
+          certutil -user -store My | Out-Host
+          Write-Host "`n=== certutil -store My ==="
+          certutil -store My | Out-Host
+
+          Write-Host "`n=== Summary ==="
+          if ($tp -and ($foundCU -or $foundLM)) {
+            Write-Host "✅ Cert object FOUND in Windows cert stores."
+            Write-Host "Next: ensure Tauri/signtool uses the correct store (CurrentUser vs LocalMachine)."
+          } else {
+            Write-Host "❌ Cert object NOT found in any Windows cert store."
+            Write-Host "Next: rely on CSP/KSP signing (signCommand) OR import public .cer into CurrentUser\\My."
+            Write-Host "Also verify SimplySign login is in same user session (runneradmin) and not a service/SYSTEM context."
+          }
 
       - name: Build the app
         if: matrix.platform == 'windows' || matrix.platform == 'linux'